Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to set up a proxy search with an alert?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up a proxy search with an alert?
MarkNicholls
Loves-to-Learn Lots
02-17-2022
03:15 AM
Hello,
I am looking at creating a dashboard which shows us the least visited domains in the last 30 days. I also want to setup a email alert every hour of the most and least visited domain. Unfortunately, I don't have any domain tools / applications installed and want to create a search for the time being.
Usecase:
URL Count in the last 30 days within a certain location
Only see the top level domains
Setup email Alert every hour
I have currently got this setup but it doesn't work properly:
index=proxy OR index=web gateway src_country="country"
| regex url="(?<TLD>\.\w+?)(?:$|\/)"
| search
([|inputlookup of users.csv])
| stats count as Total by url
Thanks,
Mark Nicholls
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MarkNicholls
Loves-to-Learn Lots
02-21-2022
02:50 AM
So I have made some progress on this thankfully, the search is now looking like this:
index=proxy OR index=web gateway src_country="country"
| rex "\/\/(?:[^@\/\n]+@)?(?:www\.)?(?<url>[^:\/\n]+)"
| search
([|inputlookup users.csv])
| stats count as Total by url
| sort 0 - "Total"
The results are laid out perfectly with the count and top level domains, but I'm are getting a lot of URLs like, 'google.com', 'youtube.com' etc, which is obviously usual traffic. I'm now looking into getting the top 1m alexa domains added to the search so we can exclude all the known URLs.
Would this type of search be possible? We will have 2 inputlookups in one search, 1 searching a specific user set and the other to exclude known domains. How could I implement that into the search query?
Also, would it be possible to have an email sent with an attachment showing the 20 least communicated URLs? Our current alert doesn't seem to be working:
Alert Type: Real Time
Expires: 72 hours
Trigger when: Number of results, is equal to 20, in 60min
Trigger: Once
Throttle: 58min
Action: send an email with .csv attachment
Thanks,
Mark Nicholls
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-17-2022
07:16 AM
You can just add "| sort 2 +Total" (for top 2 least visited URL) OR "| sort 2 -Total" (for top 2 most visited URL).
If above doesn't work as expected, please provide more details on how you see the data now and what's expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MarkNicholls
Loves-to-Learn Lots
02-17-2022
07:52 AM
Hi Somesoni,
Thank you for your response.
So I have made some progress on this thankfully, the search is now looking like this:
index=proxy OR index=web gateway src_country="country"
| rex "\/\/(?:[^@\/\n]+@)?(?:www\.)?(?<url>[^:\/\n]+)"
| search
([|inputlookup users.csv])
| stats count as Total by url
| sort 0 - "Total"
The results are laid out perfectly with the count and top level domains, but I'm are getting a lot of URLs like, 'google.com', 'youtube.com' etc, which is obviously usual traffic. I'm now looking into getting the top 1m alexa domains added to the search so we can exclude all the known URLs.
Would this type of search be possible? We will have 2 inputlookups in one search, 1 searching a specific user set and the other to exclude known domains. How could I implement that into the search query?
Also, would it be possible to have an email sent with an attachment showing the 20 least communicated URLs? Our current alert doesn't seem to be working:
Alert Type: Real Time
Expires: 72 hours
Trigger when: Number of results, is equal to 20, in 60min
Trigger: Once
Throttle: 58min
Action: send an email with .csv attachment
Thanks,
Mark Nicholls
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
